-
Hello. I want to confirm my understanding of this amazing module. In my use case we have a cloud service that is doing a pre-authentication for us and returning the auth code/state to our Apache server. Everything that I was able to find here is that mod_auth_openidc needs to initiate the authentication itself so it can set the state/session cookies or else we get the unsolicited response error ((#70 (comment))). Can someone help to confirm that mod_auth_openidc cannot be used to make the token request to my provider without it having done the authentication of the user? Just trying to make sure I am not missing something. The module works great for normal scenario where it takes care of redirecting for authentication and the exchanging the code for tokens. I am attaching a flow diagram of what I am trying to describe. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
there's no way to do that and if it would, it opens up a CSRF vulnerability |
Beta Was this translation helpful? Give feedback.
there's no way to do that and if it would, it opens up a CSRF vulnerability